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Computer Network Security A rrangements 

The present invention relates to computer network 
security, and more particularly to' arrangements for providing 
security to or between a plurality of computer data networks. 

An increasingly important concern for computer system 
5 developers is that of data security. Where a computer system 
comprises more than one data network, or provides a link to 
some remote data network, then the potential exists for 
unauthorised access to or transfer of confidential information 
between those networks via the physical interfaces which are 
10 provided between them. 

The conventional approach to securing a network 
interface is to provide a so-called 'fire-wall'. Such a device 
provides security by filtering the data traffic between two or 
more networks according to pre-defined software instructions* 
15 A 'fire-wall' arrangement is, however, costly to install and 
maintain, remains susceptible to •hacking', and is not 
resilient to the failure of its interface circuitry. 

I have now devised arrangements which overcome the 
above-mentioned limitations associated with existing network 
20 security. 

In accordance with the present invention, there is 

provided a computer system which comprises two or more 

independent data networks and at least one computer terminal, 

the or each computer terminal having a switching means 
25 associated therewith for selectively interfacing that computer 

terminal with any one of said data networks, one-at-a-tiroe, via 

respective communication channels. 

In this system, each computer terminal interfaces with 

the networks one-at-a-time , and therefore never with two (or 
30 more) networks simultaneously. Accordingly, there is never a 

direct communication channel or link established between 

different networks . 

It is however possible to provide a link, such as an 

electronic mail (e-mail) link, between two networks, providing 
3 5 such a link does not provide direct access, from one network, 

to any data storage or processing equipment on the other 
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network . 

In the above-defined computer system, one of the 
networks may be an external network, e.g. the Internet. Two 
or more of the networks may be provided in a common 
5 organisation, in which it is required to restrict the access 
between those networks. 

The switching means may be incorporated in the 
respective computer terminal or it may form a separate unit 
connected to that computer terminal. Typically each computer 
10 terminal comprises a personal computer (PC) . 

treieraoiy tne switcning means comprises a plurality of 
data routing circuits which are electrically or electronically 
re-configurable according to control signals issued by the 
respective computer terminal. 
15 Preferably the electronically re-configurable data 

routing circuits comprise electromagnetic relay devices driven 
by Darlington amplifier circuits. 

Preferably the switching means receives data and/or 
control signals either directly via the internal bus system of 
2 0 the respective computer terminal, or indirectly via a parallel 
or serial interface card. 

Preferably the switching means is controlled via 
software driver routines running on the respective computer 
terminal . 

25 Preferably the computer network data is carried by an 

•unshielded twisted pair' cable but may instead be carried by 
other cable types such as shielded coaxial or fibre-optic. 

Preferably the switching means routes data via one or 
other of two 4-way data channels comprising an 8-way 'splitter 1 

30 cable. 

Also in accordance with the present invention, there is 
provided a computer input/output interface card, comprising 
parallel and/or serial interface circuitry, and switching means 
for selectively interfacing said interface circuitry with any 
35 one of a plurality of independent computer data networks, one- 
at-a-time, vie respective communication channels. 

Further in accordance with the present invention, there 
is provided a switching device for selectively interfacing a 
computer with any one of a plurality of independent data 
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networks, one-at-a-time, via respective communication channels* 
An embodiment of the present invention will now be 
described by way of example only and with reference to the 
accompanying drawings, in which: 
5 FIGURE 1 is a schematic diagram of a prior art computer 

system; 

FIGURE 2 is a schematic diagram of a computer system in 
accordance with the present invention; 

FIGURE 3 is a circuit diagram of an electronic 
10 switching device in accordance with the present invention; and 

riGURE 4 is a scnematic showing two possible data 
channel assignments which can be provided by the device of 
Figure 3. 

Referring to Figure 1 of the drawings, there is shown 

15 a typical prior art computer system comprising first and second 
computer data networks 7 , 8 each supporting a variety of 
hardware elements such as file servers 1 and computer terminals 
2 - The two networks are interconnected by a common data 
channel via respective interface circuitry or 'hubs 1 4. The 

20 second network 7 is additionally connected to a remote site via 
a telephone system 5. 

A 'fire-wall* or programmable network access device 9 
is provided between the two networks and another such device 
6 is provided between the second network and the telephone 

25 system. These devices are intended to provide network security 
by filtering the data passing between respective networks, 
permitting data access and transfer only in accordance with 
pre-defined access tables, passwords etc. 

Such a 'fire-wall' network interface has a number of 

30 significant disadvantages. Firstly, it is costly to install 
and maintain, often reguiring a systems engineer to supervise 
its operation. Secondly, by sustaining a permanent hardware 
link between the two networks, such an interface is inherently 
susceptible to software 'hacking 1 or to malicious infection 

35 with a computer virus. k Thirdly, as only a single data channel 
is provided between the two networks, the failure or incorrect 
functioning of the, intermediate 'fire-wall 1 device will 
critically affect all communications between the two networks. 
Figure 2 illustrates a computer system in accordance 
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with the present invention, wherein the need for a 'fire-wall' 
device between the two data networks has be obviated. Each 
computer terminal e.g. 3 is provided with a re-configurable 
electronic switching device 13 that allows it to be connected 
to one or other of the data networks 7,8 according to a control 
signal 12 from the respective computer terminal 3. A splitter 
cable connects the appropriate cable cores from the computer 
terminal 3 to its respective interface hub 10. 

Such an arrangement has the, important advantage that no 
direct communications channel or link ever exists between the 
Lwu iieiworkb, which mighu allow direct access to one networx 
from the other. For example, in Figure 2, whilst computer 
terminal 3 may access either network 7 or network 8, network 
8 is secure from any attempted access via a terminal not 
provided with an electronic switching device 13, or from a 
remote site connected to network 7 via the telephone system 5 
and 'fire-wall 1 6. 

A further point to note is that in a system comprising 
a number of computer terminals, wherein each terminal is 
connected via a network switching device 13, that connection 
is fully independent of all others. Therefore, in the event 
that the network switching device associated with any one 
terminal, should fail, full network access is still available 
to all other terminals 

It is however possible for the system to include a link 
between the two networks, providing this does not give direct 
access, from one network, to any data storage or processing 
equipment on the other network. Thus, an electronic mail (e- 
mail) link 11 may be provided between the networks. 

The switching between the networks is controlled by the 
respective computer terminal: this can be achieved through use 
of any suitable operating system run on that terminal (e.g. 
Windows) . 

Figure 3 is a schematic diagram of an electronic 
circuit suitable for implementing the electronic switching 
device 13 and comprises a 4-way data input 2 0 from a computer 
•PC 1 , an 8-way data output 22 to a splitter cable • SKT 1 and a 
control signal input 24 from an interface card 'I/O Card 1 . 

With no voltage applied to any of the relays f Rly !• to 
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•Rly 4 1 , inputs 1,2,3 and 6 from 'PC are routed to the 
corresponding outputs of 1 SKT ' as shown in Figure 4 A. However, 
the circuit is re-configurable by applying an appropriate 
pattern of control signals to f I/0 Card'. These signals are 
5 amplified by IC1, a 'Darlington driver' circuit, in order to 
produce corresponding output voltages capable of switching one 
or more of the relays 'Rly 1' to 'Rly 4', thereby re-routing 
certain of the 'PC 1 input data signals to alternative ■ SKT* 
outputs . 

10 Figure 4B illustrates the effect of applying an 'ALL 

l's B signal to inputs 4 to 7 of 'I/O Card', thereby switching 
all four relays so that inputs 1,2,3 and 6 of 'SKT' are re- 
routed to outputs 4,5,7 and 8 of ' SKT 1 respectively. 

Inputs 1 and 2 of 'I/O Card' connect a supply voltage 

15 and a ground respectively. A signal applied to input 3 of 'I/O 
Card 1 will turn on light-emitting-diode Ledl which may be used 
to indicate the current state of the device. 

In the example of Figure 4, outputs 1,2,3 and 6 of 
'SKT' are connected via a splitter cable to the corresponding 

20 data lines of a local network bus, while outputs 4,5,7 and 8 
are connected to a remote network e.g. the Internet. 

It will be appreciated that the arrangement shown in 
Figure 2 can be achieved by reconfiguring the arrangement shown 
in Figure l, that is to say the existing cable can be used, and 

25 no new cable installation is needed. 
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Claims 

1) A computer system comprising two or more independent 
data networks and at least one computer terminal, the or each 
computer terminal having a switching means associated therewith 

5 for selectively interfacing that computer terminal with any one 
of said data networks, one-at-a-t ime, via respective 
communication channels . 

2) A computer system as claimed in Claim l, wherein one of 
said data networks comprises an external network, 

10 3) A computer system as claimed in Claim 1 or 2, wherein 

the or each said switching means is incorporated into its 
respective computer terminal. 

4) A computer system as claimed in Claim 1 or 2, wherein 
the or each said switching means comprises a separate unit 

15 connected to its respective computer terminal. 

5) A computer system as claimed in any preceding claim, 
wherein the or each said computer terminal comprises a personal 
computer (PC) • 

6) A computer system as claimed in any preceding claim, 
20 wherein the or each said switching means comprises a plurality 

of data routing circuits which are electrically or 
electronically re-configurable according to control signals 
issued by its respective computer terminal. 

7) A computer system as claimed in Claim 6, wherein said 
25 electronically re-configurable data routing circuits comprise 

electromagnetic relay devices driven by Darlington amplifier 
circuits . 

8) A computer system as claimed in any preceding claim, 
wherein the or each said switching means receives data and/or 

30 control signals either directly via the internal bus system of 
its respective computer terminal, or indirectly via a parallel 
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or serial interface card. 

9) A computer system as claimed in any preceding claim, 
wherein the or each said switching means is controlled via 
software driver routines running on its respective computer 
terminal . 

10) A computer system as claimed in any preceding claim, 
wherein the or each said switching means routes data via one 
or other of two 4-way data channels comprising an 8-way 
•splitter 1 cable. 

11) A computer system as claimed in any preceding claim, 
wherein network data is carried by an unshielded twisted pair 
cable. 



12) A computer system as claimed in any of claims 1 to 10, 

wherein network data is carried by a shielded coaxial cable. 

15 13) A computer system as claimed in any of claims 1 to 10, 

wherein network data is carried by a fibre-optic cable. 

14) a computer input/output interface card, comprising 
parallel and/or serial interface circuitry, and switching means 
for selectively interfacing said interface circuitry with any 

20 one of a plurality of independent computer data networks, one- 
at-a-time, vie respective communication channels. 

15) A switching device for selectively interfacing a 
computer with any one of a plurality of independent data 
networks, one-at-a-t ime , via respective communication channels . 
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